IdentityServer4 without redirects

Question

I'm implementing IdentityServer4 as my authentication service.

The client that will use this is an Angular app. From all the examples I've seen, the client is redirected to a page hosted on the identity server which is returned back to the client afterwards.

For user experience, I would like to keep the user on my page the whole time. So this leads to a couple of questions:

1. Can the identity server UI be displayed in a DIV or an iframe within a site? I'm guessing that iframe is a bit frowned upon?

2. If the above is not possible, is it possible to host the login UI on the client app, not the identity server?

I suppose it's more of a question for the UX group, but I would have thought that keeping the user within the site would lead to a better user experience instead of redirecting them completely?

Answer 1

The UX question depends on a number of things, and UX has to be tempered by security considerations.

If you completely own the client, and the identity server, you could use the ResourceOwnerPasswordFlow which doesn't involve redirects and allows your client to take the username/password and obtain an access token using them.

This kind of flow though is not recommended if you don't own the client, and/or don't trust it with the credentials. Imagine the situation where a website delegates their login process to something like Google/Facebook ... as the owner of the identity (Google/Facebook) you really wouldn't want your customers entering their password into some random website. Instead you would use the redirect flows to present a familiar and trusted URL that the customer would be happier to enter their details into.

So the question of redirects isn't a simple 'it gives bad UX', because in many cases it is a better UX to involve redirects if that brings with it an enhanced sense of security.